CentOS security hardening – Here’s how to do it
The saying “Prevention is better than cure” is 100% true in server security.
Security hardening is a great way to avoid server hacks even in the latest CentOS 7.5 server.
But, the exact steps for hardening depends on the apps running on the server.
That’s why, as part of our Dedicated Support Services, we help server owners to implement suitable security hardening steps in their servers.
Today, let’s discuss on the 7 major steps in CentOS security hardening and the aspects to consider while changing live linux servers.
Steps for CentOS security hardening
The exact steps for hardening depends largely on the type of server. That is, a standalone linux server do not have the same set of steps as in a linux VPS.
Additionally, they differ depending on the purpose of the server too. There is a need for strict hardening for servers that allows users directly on the server.
Let’s now see the 7 major steps done by our Security Specialist Engineers for CentOS security hardening.
1. Securing File System
The file system is an integral part of your CentOS server with real data. So securing file system is really critical.
The major actions for this include,
i) Set proper mount options
In CentOS server, the disk partitioning system allows different ways for data handling on each section of disk. In some sections, users can only read or write the files. Or, in some others users can execute the files.
Depending on the functions on each section, our Support Engineers set the mount options in a file called “/etc/fstab“. Normally, we do not allow the execution of binaries on /home section and mount it with option “noexec“. For this, we set the fstab entry as
/dev/hda1 /home ext4 noexec 0 2
Similarly, the /boot partition that contains the server boot files need to be mounted as read-only.
ii) /tmp hardening
Many applications running on the server make use of the temporary directory, /tmp for execution of scripts. Because of this privilege, even the hackers can execute malicious scripts in this directory.
To prevent this, we mount /tmp with options such as nosuid, nodev and noexec. These options helps us to avoid misuse of user privileges on the server
iii) Lock down critical files
It is important to lock down certain critical files on the CentOS server. Basically, this avoids accidental deleting and overwriting of these files. The following commands secure the services file that maps ports to services, password, shadow files responsible for user passwords etc.
chattr +i /etc/services chattr +i /etc/passwd chattr +i /etc/shadow
Thus, it avoids automatic addition of new users to the system or hacker cannot install a program that will add new users.
iv) Remove unused accounts
CentOS server comes with many built-in accounts like adm, halt, games, amanda etc. Attackers often use them for server hacks. Hence it is wise to delete them on the server using the “userdel” command.
v) Disable 777 permissions
Yet another common reason for server hacks is full permission for files and directories. With 777 permissions, even a web user can execute files.
Therefore, our Hosting Support Engineers effectively checks and corrects the permission of such files and directories using scripts. For example, in a cPanel server, the files having full permission in /home directory can be found out by:
find /home -type f -perm 777
2. Firewall setup
It is a known fact that you cannot allow all sorts of traffic on the server for security reasons.
In CentOS, the firewalld utility comes as a rescue. It helps to protect the system ports, open or close specific services ports, especially well-known ports.
And we Install, start, enable and list the firewall rules by issuing the below commands:
yum install firewalld systemctl start firewalld.service systemctl enable firewalld.service firewall-cmd --list-all
Additionally, on servers with control panels, there are options to enable third-party firewall utilities like Config Server Firewall, Plesk firewall etc.
Firewall readily provides protection against server attacks. However, our Hosting Support Engineers prepare a list of important services running in the server prior to the firewall set up. And, ensure that all the services are working even after firewall implementation.
Another step in security hardening is restricting user privileges on the server. The typical actions that we do include:
i) Disabling direct root login
Firstly, we disable direct root login access to the server. Here, we set up a random privileged user on the server. Then, we allow “sudo” privileges for it. As a result, this new user can function as the root user.
Also, in the ssh configuration file, we disable root login using:
ii) Setup key based access
Another method to secure CentOS server is to completely disable ssh access on the server via login method. That is, users cannot access server with a username and password combination.
Only specially created key pair can give access to the server. This enhances server security and eliminates the risk of breaking into server using guessed passwords.
4.Customize ports and services
This is another important step to improve server security.
i)Setup custom ports instead of default ports.
Since standard ports are more vulnerable to attacks, it is a good idea to make services listen on alternate ports. That explains why our Hosting Engineers change the SSH port from 22 to any other desired port number.
ii) Disable unused services.
For this, we need to get an idea of services on the server. To list all installed services with their output status, execute the command
systemctl list-units -t service
For example, if you do not use Postfix service as a mail server, you can disable it by using:
yum remove postfix
Again, this is applicable in the case of all unused services on the server.
5. Tweak network parameters
For additional hardening of server, the kernel parameters that affect networking also need tweaking. This is done by modifying the file /etc/sysctl.conf.
Our Hosting Engineers set the tried and tested values in the file to enhance the security on the server. These changes help to enable IP spoofing protection, disable ICMP redirects etc. on the server.
6. Intrusion Resistance
Now that you have implemented steps to harden the server, it is really important to avoid further intrusion attempts. There are many good tools built into CentOS for guarding the system. Let’s have a look at two such tools.
i) Advanced Intrusion Detection Environment (AIDE)
AIDE takes a snapshot of the server, records modification times of files and directories on the server. It provides many techniques to evaluate and report any malicious change within the server.
We normally run scheduled AIDE checks by setting up a cron on the server.
Similarly, another option is to enable the Auditd service. It is responsible for writing audit records to disk. Auditd gives details about server performance and allows to closely monitor every activity in the server.
To install and enable auditd, use commands:
yum install audit systemctl enable auditd.service
The Auditd service allows customization to suit to your server requirements.
7. Configuring backup
Hardening is complete only when you have proper backups on the server configuration files and website data. The backups comes really handy when there is a need to restore files as in the case of hard disk crash.
Also, the server log files helps to track any suspicious activity on the server. So it is a best practice to have the backup of log files at a remote location. Even if any attacker gains root access and delete these files, we will have a backup copy.
Our Hosting Support Engineers recommend having a copy of backup on the server, as well as on a remote storage.
After-effects of CentOS security hardening
From our expertise in managing servers, we can surely tell that CentOS security hardening has direct impact on the way websites are working.
We’ll now take a look at the typical impact areas that we’ve seen.
1. When we prevent the execution of binaries on /home, any executable file will fail. So we need to take care of it while revoking execute permission on a partition.
2. Also, when we mount /tmp with noexec option, some programs might not work properly because they use /tmp to execute. Hence, it needs proper testing of the software with this mount option. We can proceed only after confirming that functionalities are not affected.
3. Again, /tmp hardening may often cause server reboot failures. So it is advised to arrange additional rescue options for the server like console access, in case of any failure.
4. The sysctl.conf tweaks do not apply to VPS servers as they are just containers on a large server. Also, the tweaks in sysctl conf may often cause unexpected issues with applications running on the server. So they need proper testing on live server.
Security hardening really helps to avoid server hacks. Today, we’ve discussed the 7 major steps in CentOS security hardening. Also, we saw the top precautions that our Hosting Support Engineers take while securing live servers.